Page 1 of 1

IPSEC Issues

Posted: Wed Jun 27, 2018 1:53 pm
by flynno
Hey guys,


I have been having trouble the past few days trying to setup an ipsec vpn to a remote location, somebody might be able to point me in the right direction.
I can get the ipsec connection to establish on phase2 and can ping the remote server from the mikrotik device itself but not from my pc cmd prompt using ping.

Setup
IPSEC is setup on an CPE SXT Lite5 ac (mipsbe),
Static public IP address on the pppoe-out1 interface
Dhcp network is 192.168.0.0/24 running on ether1
My PC is on the ether1 and is direct into the CPE itself.
Internet works fine until I enable the IPSEC VPN and then I have no connection.

I can disable default route 0.0.0.0/0 gateway pppoe-out1 and the IPSEC connection will still establish and I can ping remote server still on the CPE but not on the PC.
As I added the gateway route to the remote server.

Is there a rule that is missing to route the traffic out the tunnel on the ether1 ?

Router firewall rules

Package version is V6.42.4

/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add chain=input comment="IPSec ESP" protocol=ipsec-esp
add chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol= tcp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=pppoe-out1 log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=accept chain=input comment="Allow DNS for trusted network" dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=accept chain=input comment="Allow DNS for trusted network" dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input comment="Allow local network" src-address=192.168.0.0/24
add action=drop chain=input connection-state=new dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=pppoe-out1 protocol=tcp

/ip firewall nat
add action=accept chain=srcnat protocol=udp src-port=500,4500 place-before=0
add action=masquerade chain=srcnat out-interface=pppoe-out1



Thanks in advance

Re: IPSEC Issues

Posted: Wed Jun 27, 2018 3:16 pm
by Anumrak
Can remote server ping it's ipsec gateway or PC behind Tik?

Re: IPSEC Issues

Posted: Wed Jun 27, 2018 3:48 pm
by flynno
Hi Anumrak,

Remote side admin told me that an extra firewall policy or route might be needed so traffic from PCs on the LAN can pass through the IPSEC


Thanks

Re: IPSEC Issues

Posted: Wed Jun 27, 2018 4:52 pm
by tippenring

/ip firewall nat
add action=accept chain=srcnat protocol=udp src-port=500,4500 place-before=0
add action=masquerade chain=srcnat out-interface=pppoe-out1
It sure looks like you're NATing the traffic that would be destined for the remote network. You need an accept rule to prevent NAT from happening on that traffic.
add action=accept chain=srcnat dst-address-list=non-routable src-address=10.10.6.0/24

Re: IPSEC Issues

Posted: Wed Jun 27, 2018 5:05 pm
by Anumrak
I managed L2TP/IPsec server, so there is not need in accept NAT rule. Just try to ping Tik IPsec gateway from remote server and then try to ping your PC behind Tik in LAN. Also you have to be sure that remote server have a static route to your LAN via ipsec gateway IP.

Re: IPSEC Issues

Posted: Thu Jun 28, 2018 3:32 am
by flynno
The admin said everything is in order at there end and can see my pings hitting the webserver from the mikrotik router, but I cant ping from my PC or reach the webserver via browser.

VPN requirements;
Route Based VPN's are the standard VPN build i.e not Policy Based VPN's. VPN selectors should be 0.0.0.0/0.0.0.0
It is recommended to use Public IP addressing instead to ensure no IP addressing conflict occurs

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Private Lan

Public IP to Public Internet >> VPN Gateway >> Webportal

Re: IPSEC Issues

Posted: Thu Jun 28, 2018 10:55 am
by Anumrak
The admin said everything is in order at there end and can see my pings hitting the webserver from the mikrotik router, but I cant ping from my PC or reach the webserver via browser.

VPN requirements;
Route Based VPN's are the standard VPN build i.e not Policy Based VPN's. VPN selectors should be 0.0.0.0/0.0.0.0
It is recommended to use Public IP addressing instead to ensure no IP addressing conflict occurs

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Private Lan

Public IP to Public Internet >> VPN Gateway >> Webportal
Perhaps the firewall on PC blocks ICMP replies.

Re: IPSEC Issues

Posted: Thu Jun 28, 2018 6:56 pm
by flynno
When the IPSEC tunnel is established, I have no internet on PC that I am trying to ping from, so I cant actually ping anything I guess or even browse to the remote webserver.

When I disabled the IPSEC tunnel internet returns to normal.

Re: IPSEC Issues

Posted: Fri Jun 29, 2018 1:14 am
by flynno
Note: It is recommend that the IPSEC address is NATed to public IP addressing.

My nat rules
/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 action=src-nat to-addresses=x.x.x.x out-interface=pppoe-out1
/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 action=src-nat to-addresses=x.x.x.x
/ip firewall nat add chain=dstnat dst-address=x.x.x.x action=dst-nat to-addresses=192.168.0.0/24

x.x.x.x is my public IP address above

I tried my laptop and that is same as PC, cant ping or browse to webserver.
Turned off firewall on PC and enabled ICMP ping

Command prompt on windows to enable ICMP
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

Re: IPSEC Issues

Posted: Fri Jun 29, 2018 4:19 pm
by flynno
I managed L2TP/IPsec server, so there is not need in accept NAT rule. Just try to ping Tik IPsec gateway from remote server and then try to ping your PC behind Tik in LAN. Also you have to be sure that remote server have a static route to your LAN via ipsec gateway IP.
Hi Anumrak,


When IPSEC is enabled, I cant ping my PC from the Tik devcie

Re: IPSEC Issues

Posted: Sat Jun 30, 2018 12:38 am
by flynno
Is it correct to have 0.0.0.0/0 in Src. Address and 0.0.0.0/0 in Dst. Address, looking at the wiki guides local private network address and remote private network should be used.
I wasn't given a remote private network address to use and the tunnel wont establish unless 0.0.0.0/0 in Src. Address and 0.0.0.0/0 in Dst. Address is used.

Re: IPSEC Issues

Posted: Sat Jun 30, 2018 7:29 pm
by flynno
Anyone have any experience with solving this problem, the remote ends equipment used is Fortigate.

Is Mikrotik compatible with Fortigate?